NetComm Wireless is a leading developer and supplier of high performance communication devices that connect businesses and people to the internet.
Products and services:
Wireless 3G/4G broadband devices
Custom engineered technologies
Broadband communication devices
Customers:
Telecommunications carriers
Internet Service Providers
System Integrators
Channel partners
Enterprise customers
Product:
=======
HSPA 3G10WVE is a wireless router
It integrates a wireless LAN, HSPA module and voice gateway into one stylish unit. Insert an active HSPA SIM Card into the slot on the rear panel & get instant access to 3G internet connection. Etisalat HSPA 3G10WVE wireless router incorporates a WLAN 802.11b/g access point, two Ethernet 10/100Mbps ports for voice & fax. Featuring voice port which means that one can stay connected using the internet & phone. If one need a flexible internet connection for his business or at home; this is the perfect solution.
Multiple vulnerabilities in the HSPA 3G10WVE wireless router enable an anonymous unauthorized attacker to 1) bypass authentication and gain unauthorized access of router's network troubleshooting page (ping.cgi) and 2) exploit a command injection vulnerability on ping.cgi, which could result in a complete system/network compromise.
Below listed vulnerabilities enable an anonymous unauthorized attacker to gain access of network troubleshooting page (ping.cgi) on wireless router and inject commands to compromise full system/network.
1) Bypass authentication and gain unauthorized access vulnerability - CVE-2015-6023
2) Command injection vulnerability - CVE-2016-6024
====
NetCommWireless HSPA 3G10WVE Wireless Router ? Multiple vulnerabilities
Credit:
======
Name: Bhadresh Patel
Company/affiliation: HelpAG
Website: www.helpag.com
CVE:
=====
CVE-2015-6023, CVE-2016-6024
Date:
====
03-05-2016 (dd/mm/yyyy)
Vendor:
======
NetComm Wireless is a leading developer and supplier of high performance communication devices that connect businesses and people to the internet.
Products and services:
Wireless 3G/4G broadband devices
Custom engineered technologies
Broadband communication devices
Customers:
Telecommunications carriers
Internet Service Providers
System Integrators
Channel partners
Enterprise customers
Product:
=======
HSPA 3G10WVE is a wireless router
It integrates a wireless LAN, HSPA module and voice gateway into one stylish unit. Insert an active HSPA SIM Card into the slot on the rear panel & get instant access to 3G internet connection. Etisalat HSPA 3G10WVE wireless router incorporates a WLAN 802.11b/g access point, two Ethernet 10/100Mbps ports for voice & fax. Featuring voice port which means that one can stay connected using the internet & phone. If one need a flexible internet connection for his business or at home; this is the perfect solution.
Customer Product link: http://www.etisalat.ae/nrd/en/generic/3.5g_router.jsp
Abstract:
=======
Multiple vulnerabilities in the HSPA 3G10WVE wireless router enable an anonymous unauthorized attacker to 1) bypass authentication and gain unauthorized access of router's network troubleshooting page (ping.cgi) and 2) exploit a command injection vulnerability on ping.cgi, which could result in a complete system/network compromise.
Report-Timeline:
============
03-09-2015: Vendor notification
08-09-2015: Vendor Response/Feedback
02-05-2016: Vendor Fix/Patch
03-05-2016: Public Disclosure
Affected Software Version:
=============
3G10WVE-L101-S306ETS-C01_R03
Exploitation-Technique:
===================
Remote
Severity Rating (CVSS):
===================
10.0 (Critical) (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Details:
=======
Below listed vulnerabilities enable an anonymous unauthorized attacker to gain access of network troubleshooting page (ping.cgi) on wireless router and inject commands to compromise full system/network.
1) Bypass authentication and gain unauthorized access vulnerability - CVE-2015-6023
2) Command injection vulnerability - CVE-2016-6024
Vulnerable module/page/application: ping.cgi
Vulnerable parameter: DIA_IPADDRESS
Proof Of Concept:
================
PoC URL: http(s)://<victim_IP>/ping.cgi?DIA_IPADDRESS=4.2.2.2;cat%20/etc/passwd
PoC Video: https://www.youtube.com/watch?v=FS43MRG7RDk
Patched/Fixed Firmware and notes:
==========================
ftp://files.planetnetcomm.com/3G10WVE/3G10WVE-L101-S306ETS-C01_R05.bin
NOTE: Verified only by Vendor
Credits:
=======
Bhadresh Patel
Senior Security Analyst
HelpAG (www.helpag.com)
[ reply ]